Mobile device security
P K on how to cope with the security risks associated with mobile devices
If a mobile device or data medium does not have adequate protection, an unauthorised
- Boot a PC using an external medium like a CD or
USB memory stick and so access all the saved data without activating the operating
systems access control.
- Spy on confidential documents and information to
either use or sell to a third party.
- Read key information or create passwords from the
RAM (from swapfiles or hibernation files) and use these to access the users
encrypted files or to gain access to the corporate network.
- Reconfigure the operating systems security
mechanisms so that they are no longer effective the next time the PC is booted.
- Use dictionary attacks to hack the local password
database to acquire valid user passwords.
- Use the PC or data medium to import undesirable
data and sneak in harmful programs that then compromise system stability.
Unauthorised persons who gain access to mobile devices and desktop PCs can compromise
confidential data. For example, using copying tools an entire hard disk can
be copied in a very short time and then data can be spied on at leisure without
the user noticing the loss. To protect themselves effectively against these
types of attacks, it is recommended that companies use special security software
to complement the operating systems own mechanisms and guard their PCs,
operating systems and data against changes or unauthorised access. Companies
need a security solution that can not only protect them against this threat
but also ensure that unauthorised persons cannot access their saved data or
the rest of their IT infrastructure.
The most important security mechanisms that can be used to protect against risks
are encryption and user authentication. Operating systems usually have a range
of basic functions for this purpose, but these are often not powerful enough
to provide real IT security in a business environment. To equip themselves with
protection beyond the operating systems basic tool set, companies need
additional security software which will either extend or replace the operating
systems protection mechanism.
Reliable protection against data misuse means that all data must be encrypted,
without exception. Although this sounds very obvious and simple, it is far from
whats happening in practice. There are applications which offer encryption
options, but only for the specific file formats used by those particular applications.
The security solution must perform encryption on the entire data medium (base
encryption); every character must be automatically encrypted or decrypted
every time it is written or read, no matter which file it belongs to. This includes
all the system data for the operating system or an application. The security
solution must be able to support several generations of hardware and operating
systems as well as the large number of file formats that are often involved
in heterogeneous environments.
To save time when starting a system, and to conserve battery power, notebook
users often use hibernation or Suspend to Disk mode. In an unprotected
notebook, this hibernation file is an attractive target for data thieves because
it contains all the information present when the notebook was frozen, including
all the files that the user had just been working on, or the keywords and even
passwords in use at that time. To guarantee effective protection against data
misuse, these hibernation files must also be encrypted, just like the other
Just like clients, exchangeable data media such as USB memory sticks or memory
cards can get lost, stolen or misused by unauthorised users. The protection
for exchangeable data media must not only ensure the confidentiality of the
data saved on them, but also prevent the importing of harmful programs which
a user might bring from home. This is why any security software used to protect
the data on PCs against misuse should also be able to protect not only the client
itself but also all the exchangeable data media commonly in use in the company.
The algorithm used by the security solution is also a major factor. Public algorithms
have the advantage that scientists and cryptographers all over the world have
already tested their security and efficiency. The current standard for symmetrical
encryption algorithms used to encrypt useful data is the AES algorithm with
key lengths of 128 or 256 bits. A reliable security software system should offer
this AES algorithm at the very least. In the international environment, the
flexibility of encryption algorithms plays a major role: country-specific cryptographic
regulations often mean that multinational companies can install encryption software
at only some of their sites. The security solution must provide support for
all the major public algorithms (such as AES, IDEA-128 and 3DES) used worldwide.
However, encryption by itself does not make a security solution. Equally important
is an efficient way of authenticating users. The simplest method of user authentication
is password-based. Most security solutions provide user ID and a password as
a default mechanism. However, passwords can be passed on deliberately or even
spied out. A second layer, such as a hardware token for authentication, can
improve the reliability of the authentication process. Only a user who can provide
a token and its pin will be authenticated.
Even the best security software is no good if it is not activated. To prevent
an operating system from being manipulated from outsidefor example, by
booting with external media like CDs or USB sticks and then targeting the hard
diska users access rights must be checked before the boot procedure
itself. The security software must have Pre-Boot Authentication (PBA); this
ensures that users are authenticated before the operating system boots.
The acceptance and therefore the actual implementation of security mechanisms
in companies depend on how difficult or easy they are to use in daily operation.
For a security solution to be accepted, it must be as invisible as possible
for its end users. In the best-case scenario, apart from the necessary authentication,
the user experience should not be altered in any way.
The security solution must provide a way to handle emergency situations such
as password loss or the client operating system not booting up. The solution
must have a range of recovery mechanisms for handling these situations. For
instance, if the operating system can no longer be booted, it must still be
possible to perform emergency decryption of the data medium once
correct authentication has been performed.
Suresh P K is with Ramco Systems.